|
T0006
|
Advocate organization's official position in legal and legislative proceedings |
2 |
|
T0020
|
Develop content for cyber defense tools |
1 |
|
T0067
|
Develop architectures or system components consistent with technical specifications |
1 |
|
T0068
|
Develop data standards, policies, and procedures |
1 |
|
T0077
|
Develop secure code and error handling |
1 |
|
T0080
|
Develop test plans to address specifications and requirements |
1 |
|
T0081
|
Diagnose network connectivity problems |
1 |
|
T0084
|
Employ secure configuration management processes |
3 |
|
T0101
|
Evaluate the effectiveness and comprehensiveness of existing training programs |
1 |
|
T0116
|
Identify organizational policy stakeholders |
1 |
|
T0122
|
Implement security designs for new or existing systems |
1 |
|
T0124
|
Incorporate cybersecurity vulnerability solutions into system designs (e.g., Cybersecurity Vulnerability Alerts) |
1 |
|
T0126
|
Install or replace network hubs, routers, and switches |
1 |
|
T0129
|
Integrate new systems into existing network architecture |
1 |
|
T0137
|
Maintain database management systems software |
1 |
|
T0141
|
Maintain information systems assurance and accreditation materials |
0 |
|
T0153
|
Monitor network capacity and performance |
1 |
|
T0164
|
Perform cyber defense trend analysis and reporting |
2 |
|
T0167
|
Perform file signature analysis |
2 |
|
T0168
|
Perform data comparison against established database |
2 |
|
T0172
|
Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView) |
2 |
|
T0173
|
Perform timeline analysis |
3 |
|
T0179
|
Perform static media analysis |
2 |
|
T0182
|
Perform tier 1, 2, and 3 malware analysis |
2 |
|
T0193
|
Process crime scenes |
1 |
|
T0220
|
Resolve conflicts in laws, regulations, policies, standards, or procedures |
5 |
|
T0226
|
Serve on agency and interagency policy boards |
2 |
|
T0235
|
Translate functional requirements into technical solutions |
1 |
|
T0237
|
Troubleshoot system hardware and software |
1 |
|
T0262
|
Employ approved defense-in-depth principles and practices (e.g., defense-in-multiple places, layered defenses, security robustness) |
1 |
|
T0271
|
Develop cybersecurity designs to meet specific operational needs and environmental factors (e.g., access controls, automated applications, networked operations, high integrity and availability requirements, multilevel security/processing of multiple classification levels, and processing Sensitive Compartmented Information) |
1 |
|
T0274
|
Create auditable evidence of security measures |
1 |
|
T0292
|
Recommend computing environment vulnerability corrections |
1 |
|
T0299
|
Identify network mapping and operating system (OS) fingerprinting activities |
1 |
|
T0309
|
Assess the effectiveness of security controls |
2 |
|
T0311
|
Consult with customers about software system design and maintenance |
2 |
|
T0330
|
Maintain assured message delivery systems |
1 |
|
T0349
|
Collect metrics and trending data |
1 |
|
T0383
|
Program custom algorithms |
1 |
|
T0397
|
Perform Windows registry analysis |
1 |
|
T0412
|
Conduct import/export reviews for acquiring systems and software |
4 |
|
T0422
|
Implement data management standards, requirements, and specifications |
1 |
|
T0431
|
Check system hardware availability, functionality, integrity, and efficiency |
1 |
|
T0437
|
Correlate training and learning to business or mission requirements |
2 |
|
T0459
|
Implement data mining and data warehousing applications |
1 |
|
T0460
|
Develop and implement data mining and data warehousing programs |
1 |
|
T0495
|
Manage Accreditation Packages (e.g., ISO/IEC 15026-2) |
2 |
|
T0510
|
Coordinate incident response functions |
1 |
|
T0512
|
Perform interoperability testing on systems exchanging electronic information with other systems |
1 |
|
T0513
|
Perform operational testing |
1 |
|
T0531
|
Troubleshoot hardware/software interface and interoperability problems |
1 |
|
T0542
|
Translate proposed capabilities into technical requirements |
2 |
|
T0569
|
Answer requests for information |
1 |
|
T0685
|
Evaluate threat decision-making processes |
1 |
|
T0686
|
Identify threat vulnerabilities |
0 |
|
T0698
|
Facilitate continuously updated intelligence, surveillance, and visualization input to common operational picture managers |
1 |
|
T0707
|
Generate requests for information |
1 |
|
T0718
|
Identify intelligence gaps and shortfalls |
1 |
|
T0734
|
Issue requests for information |
0 |
|
T0751
|
Monitor open source websites for hostile content directed towards organizational or partner interests |
1 |
|
T0775
|
Produce network reconstructions |
0 |
|
T0818
|
Serve as a liaison with external partners |
0 |
|
T0845
|
Identify cyber threat tactics and methodologies |
1 |
|
T0898
|
Establish an internal privacy audit program |
1 |
|
T0934
|
Identify stakeholder assets that require protection |
0 |
|
T0937
|
Determine the placement of a system within the enterprise architecture |
0 |
|
T0942
|
Identify the types of information to be processed, stored, or transmitted by a system |
0 |
|
T0960
|
Monitor changes to a system and its environment of operation |
0 |
|
T1008
|
Prepare and deliver education and awareness briefings |
1 |
|
T1009
|
Create a cybersecurity awareness program |
1 |
|
T1010
|
Communicate enterprise information technology architecture |
3 |
|
T1011
|
Apply standards to identify safety risk and protect cyber-physical functions |
3 |
|
T1012
|
Expand network access |
1 |
|
T1013
|
Conduct technical exploitation of a target |
1 |
|
T1014
|
Determine if security incidents require legal action |
1 |
|
T1015
|
Identify roles and responsibilities for appointed Communications Security (COMSEC) personnel |
1 |
|
T1016
|
Identify Communications Security (COMSEC) incidents |
1 |
|
T1017
|
Report Communications Security (COMSEC) incidents |
1 |
|
T1018
|
Identify in-process accounting requirements for Communications Security (COMSEC) |
1 |
|
T1019
|
Determine special needs of cyber-physical systems |
10 |
|
T1020
|
Determine the operational and safety impacts of cybersecurity lapses |
37 |
|
T1021
|
Review cyber defense service provider reporting structure |
2 |
|
T1022
|
Review enterprise information technology (IT) goals and objectives |
9 |
|
T1023
|
Identify critical technology procurement requirements |
11 |
|
T1024
|
Implement organizational security policies and procedures |
1 |
|
T1025
|
Implement organizational training and education policies and procedures |
3 |
|
T1026
|
Determine procurement requirements |
9 |
|
T1027
|
Integrate organizational goals and objectives into security architecture |
3 |
|
T1028
|
Research new vulnerabilities in emerging technologies |
2 |
|
T1029
|
Implement organizational evaluation and validation criteria |
1 |
|
T1030
|
Estimate the impact of collateral damage |
2 |
|
T1031
|
Implement intelligence collection requirements |
4 |
|
T1035
|
Determine how threat activity groups employ encryption to support their operations |
1 |
|
T1036
|
Integrate leadership priorities |
6 |
|
T1038
|
Integrate organization objectives in intelligence collection |
6 |
|
T1039
|
Identify network artifacts |
0 |
|
T1041
|
Determine impact of software configurations |
4 |
|
T1043
|
Determine staffing needs |
0 |
|
T1046
|
Assess operation performance |
2 |
|
T1047
|
Assess operation impact |
2 |
|
T1049
|
Determine appropriate level of test rigor for a given system |
1 |
|
T1050
|
Improve network security practices |
1 |
|
T1051
|
Set up a forensic workstation |
1 |
|
T1052
|
Integrate black-box security testing tools into quality assurance processes |
2 |
|
T1053
|
Identify and characterize intrusion activities against a victim or target |
1 |
|
T1054
|
Scope analysis reports to various audiences that accounts for data sharing classification restrictions |
6 |
|
T1055
|
Determine if priority information requirements are satisfied |
3 |
|
T1056
|
Acquire resources to support cybersecurity program goals and objectives |
4 |
|
T1057
|
Conduct an effective enterprise continuity of operations program |
3 |
|
T1058
|
Advise senior management on risk levels and security posture |
3 |
|
T1059
|
Perform cost/benefit analyses of cybersecurity programs, policies, processes, systems, and elements |
5 |
|
T1060
|
Advise senior management on organizational cybersecurity efforts |
5 |
|
T1061
|
Advise senior leadership and authorizing official of changes affecting the organization's cybersecurity posture |
1 |
|
T1062
|
Contribute insider threat expertise to organizational cybersecurity awareness program |
1 |
|
T1063
|
Determine data requirements |
1 |
|
T1064
|
Determine data specifications |
2 |
|
T1065
|
Determine data capacity requirements |
3 |
|
T1066
|
Plan for anticipated changes in data capacity requirements |
2 |
|
T1067
|
Recommend development of new applications or modification of existing applications |
4 |
|
T1068
|
Create development plans for new applications or modification of existing applications |
4 |
|
T1069
|
Evaluate organizational cybersecurity policy regulatory compliance |
3 |
|
T1070
|
Evaluate organizational cybersecurity policy alignment with organizational directives |
3 |
|
T1071
|
Evaluate software design plan timelines and cost estimates |
1 |
|
T1072
|
Determine life cycle support requirements |
1 |
|
T1073
|
Perform code reviews |
2 |
|
T1074
|
Prepare secure code documentation |
2 |
|
T1075
|
Implement application cybersecurity policies |
2 |
|
T1076
|
Implement system cybersecurity policies |
1 |
|
T1077
|
Assess the organization's cybersecurity architecture |
3 |
|
T1078
|
Determine effectiveness of system cybersecurity measures |
1 |
|
T1079
|
Develop cybersecurity risk profiles |
4 |
|
T1081
|
Create product prototypes using working and theoretical models |
1 |
|
T1082
|
Integrate software cybersecurity objectives into project plans and schedules |
2 |
|
T1083
|
Determine project security controls |
2 |
|
T1084
|
Identify anomalous network activity |
9 |
|
T1085
|
Identify potential threats to network resources |
3 |
|
T1086
|
Collect and maintain system cybersecurity report data |
1 |
|
T1087
|
Create system cybersecurity reports |
1 |
|
T1088
|
Communicate the value of cybersecurity to organizational stakeholders |
4 |
|
T1089
|
Create program documentation during initial development and subsequent revision phases |
1 |
|
T1090
|
Determine best methods for identifying the perpetrator(s) of a network intrusion |
3 |
|
T1091
|
Perform authorized penetration testing on enterprise network assets |
1 |
|
T1092
|
Conduct functional and connectivity testing |
2 |
|
T1093
|
Conduct interactive training exercises |
1 |
|
T1094
|
Conduct victim and witness interviews |
1 |
|
T1095
|
Conduct suspect interrogations |
1 |
|
T1096
|
Perform privacy impact assessments (PIAs) |
4 |
|
T1097
|
Determine functional requirements and specifications |
1 |
|
T1098
|
Determine system performance requirements |
1 |
|
T1099
|
Design application interfaces |
1 |
|
T1100
|
Configure network hubs, routers, and switches |
3 |
|
T1101
|
Optimize network hubs, routers, and switches |
3 |
|
T1102
|
Identify intrusions |
2 |
|
T1103
|
Analyze intrusions |
2 |
|
T1104
|
Document what is known about intrusions |
2 |
|
T1105
|
Construct access paths to suites of information |
1 |
|
T1106
|
Develop threat models |
1 |
|
T1107
|
Evaluate functional requirements |
4 |
|
T1108
|
Evaluate interfaces between hardware and software |
2 |
|
T1109
|
Resolve cyber defense incidents |
1 |
|
T1110
|
Coordinate technical support to enterprise-wide cybersecurity defense technicians |
1 |
|
T1111
|
Administer rule and signature updates for specialized cyber defense applications |
1 |
|
T1112
|
Validate network alerts |
1 |
|
T1113
|
Develop the enterprise continuity of operations strategy |
3 |
|
T1114
|
Establish the enterprise continuity of operations program |
3 |
|
T1115
|
Oversee the development of design solutions |
1 |
|
T1116
|
Correct program errors |
1 |
|
T1117
|
Determine if desired program results are produced |
1 |
|
T1118
|
Identify vulnerabilities |
7 |
|
T1119
|
Recommend vulnerability remediation strategies |
8 |
|
T1120
|
Create forensically sound duplicates of evidence |
2 |
|
T1121
|
Decrypt seized data |
2 |
|
T1122
|
Determine essential system capabilities and business functions |
3 |
|
T1123
|
Prioritize essential system capabilities and business functions |
3 |
|
T1124
|
Restore essential system capabilities and business functions after catastrophic failure events |
4 |
|
T1125
|
Define system availability levels |
2 |
|
T1126
|
Determine disaster recovery and continuity of operations system requirements |
2 |
|
T1127
|
Define project scope and objectives |
1 |
|
T1128
|
Design cybersecurity or cybersecurity-enabled products |
1 |
|
T1129
|
Develop cybersecurity or cybersecurity-enabled products |
1 |
|
T1130
|
Develop group policies and access control lists |
1 |
|
T1131
|
Determine if hardware, operating systems, and software applications adequately address cybersecurity requirements |
1 |
|
T1132
|
Design system data backup capabilities |
1 |
|
T1133
|
Develop technical and procedural processes for integrity of stored backup data |
1 |
|
T1134
|
Develop technical and procedural processes for backup data storage |
1 |
|
T1135
|
Design and develop software systems |
1 |
|
T1136
|
Determine level of assurance of developed capabilities |
1 |
|
T1137
|
Investigate suspicious activity and alleged digital crimes |
1 |
|
T1138
|
Create system testing and validation procedures and documentation |
2 |
|
T1139
|
Develop systems design procedures and processes |
1 |
|
T1140
|
Develop systems administration standard operating procedures |
1 |
|
T1141
|
Document systems administration standard operating procedures |
1 |
|
T1142
|
Validate data mining and data warehousing programs, processes, and requirements |
1 |
|
T1143
|
Develop network backup and recovery procedures |
1 |
|
T1144
|
Implement network backup and recovery procedures |
1 |
|
T1145
|
Develop strategic plans |
3 |
|
T1146
|
Maintain strategic plans |
3 |
|
T1148
|
Develop systems security design documentation |
1 |
|
T1149
|
Develop disaster recovery and continuity of operations plans for systems under development |
1 |
|
T1150
|
Test disaster recovery and continuity of operations plans for systems prior to deployment |
1 |
|
T1151
|
Develop cybersecurity designs for systems and networks with multilevel security requirements |
1 |
|
T1152
|
Develop cybersecurity designs for systems and networks that require processing of multiple data classification levels |
1 |
|
T1153
|
Integrate cybersecurity designs for systems and networks |
1 |
|
T1154
|
Develop risk, compliance, and assurance monitoring strategies |
4 |
|
T1155
|
Develop risk, compliance, and assurance measurement strategies |
4 |
|
T1156
|
Develop awareness and training materials |
1 |
|
T1157
|
Identify pertinent awareness and training materials |
1 |
|
T1158
|
Develop cybersecurity implementation policies and guidelines |
2 |
|
T1159
|
Create technical summary of findings reports |
2 |
|
T1160
|
Develop risk mitigation strategies |
2 |
|
T1161
|
Resolve system vulnerabilities |
1 |
|
T1162
|
Recommend security changes to systems and system components |
2 |
|
T1163
|
Develop cybersecurity countermeasures for systems and applications |
2 |
|
T1164
|
Develop risk mitigation strategies for systems and applications |
2 |
|
T1165
|
Develop risk, compliance, and assurance specifications |
0 |
|
T1166
|
Document security, resilience, and dependability requirements |
0 |
|
T1168
|
Define acquisition life cycle cybersecurity architecture requirements |
1 |
|
T1169
|
Define acquisition life cycle systems security engineering requirements |
1 |
|
T1170
|
Document preliminary or residual security risks for system operation |
0 |
|
T1172
|
Determine if systems security operations and maintenance activities are property documented and updated |
1 |
|
T1173
|
Determine that the application of security patches for commercial products meets timeline requirements |
1 |
|
T1174
|
Document commercial product timeline requirements dictated by the management authority for intended operational environments |
1 |
|
T1175
|
Determine if digital media chain or custody processes meet Federal Rules of Evidence requirements |
2 |
|
T1176
|
Determine if cybersecurity-enabled products reduce identified risk to acceptable levels |
2 |
|
T1177
|
Determine if security control technologies reduce identified risk to acceptable levels |
2 |
|
T1178
|
Determine if security improvement actions are evaluated, validated, and implemented as required |
2 |
|
T1179
|
Determine if systems and architecture are consistent with cybersecurity architecture guidelines |
2 |
|
T1180
|
Determine if cybersecurity inspections, tests, and reviews are coordinated for the network environment |
1 |
|
T1181
|
Determine if cybersecurity requirements are integrated into continuity planning |
1 |
|
T1182
|
Determine if security engineering is used when acquiring or developing protection and detection capabilities |
1 |
|
T1183
|
Determine if protection and detection capabilities are consistent with organization-level cybersecurity architecture |
1 |
|
T1184
|
Establish stakeholder communication channels |
2 |
|
T1185
|
Maintain stakeholder communication channels |
3 |
|
T1186
|
Establish enterprise information security architecture |
2 |
|
T1187
|
Establish internal and external cross-team relationships |
2 |
|
T1188
|
Determine if baseline security safeguards are appropriately installed |
1 |
|
T1189
|
Determine if contracts comply with funding, legal, and program requirements |
2 |
|
T1190
|
Determine hardware configuration |
2 |
|
T1191
|
Determine relevance of recovered data |
2 |
|
T1192
|
Conduct analysis of computer network attacks |
1 |
|
T1193
|
Allocate security functions to components and elements |
1 |
|
T1194
|
Remediate technical problems encountered during system testing and implementation |
1 |
|
T1195
|
Direct the remediation of technical problems encountered during system testing and implementation |
1 |
|
T1196
|
Determine if security incidents are indicative of a violation of law that requires specific legal action |
1 |
|
T1197
|
Identify common coding flaws |
2 |
|
T1198
|
Identify data or intelligence of evidentiary value |
1 |
|
T1199
|
Identify digital evidence for analysis |
3 |
|
T1200
|
Identify elements of proof of cybersecurity crimes |
1 |
|
T1201
|
Determine implications of new and upgraded technologies to the cybersecurity program |
1 |
|
T1202
|
Determine software development security implications within centralized and decentralized environments across the enterprise |
2 |
|
T1203
|
Implement software development cybersecurity methodologies within centralized and decentralized environments across the enterprise |
2 |
|
T1204
|
Determine cybersecurity measures for steady state operation and management of software |
2 |
|
T1205
|
Incorporate product end-of-life cybersecurity measures |
2 |
|
T1206
|
Recommend cybersecurity or cybersecurity-enabled products for use within a system |
1 |
|
T1207
|
Collect documentary or physical evidence of cyber intrusion incidents, investigations, and operations |
2 |
|
T1208
|
Implement new system design procedures |
2 |
|
T1209
|
Implement new system test procedures |
2 |
|
T1210
|
Implement new system quality standards |
2 |
|
T1212
|
Implement cybersecurity countermeasures for systems and applications |
1 |
|
T1214
|
Install network infrastructure device operating system software |
3 |
|
T1215
|
Maintain network infrastructure device operating system software |
3 |
|
T1217
|
Determine if system analysis meets cybersecurity requirements |
1 |
|
T1218
|
Integrate automated capabilities for updating or patching system software |
1 |
|
T1219
|
Develop processes and procedures for manual updating and patching of system software |
1 |
|
T1221
|
Disseminate incident and other Computer Network Defense (CND) information |
2 |
|
T1222
|
Determine security requirements for new information technologies |
3 |
|
T1223
|
Determine security requirements for new operational technologies |
3 |
|
T1224
|
Determine impact of noncompliance on organizational risk levels |
2 |
|
T1225
|
Determine impact of noncompliance on effectiveness of the enterprise's cybersecurity program |
2 |
|
T1226
|
Align cybersecurity priorities with organizational security strategy |
2 |
|
T1227
|
Manage cybersecurity budget, staffing, and contracting |
8 |
|
T1228
|
Maintain baseline system security |
1 |
|
T1229
|
Maintain deployable cyber defense audit toolkits |
1 |
|
T1230
|
Maintain directory replication services |
1 |
|
T1231
|
Maintain information exchanges through publish, subscribe, and alert functions |
1 |
|
T1232
|
Approve accreditation packages |
2 |
|
T1233
|
Monitor cybersecurity data sources |
1 |
|
T1234
|
Develop Computer Network Defense (CND) guidance for organizational stakeholders |
2 |
|
T1235
|
Manage threat and target analysis |
1 |
|
T1236
|
Manage the production of threat information |
1 |
|
T1237
|
Determine if systems comply with security, resilience, and dependability requirements |
0 |
|
T1238
|
Determine the effectiveness of enterprise cybersecurity safeguards |
2 |
|
T1239
|
Monitor the usage of knowledge management assets and resources |
1 |
|
T1240
|
Create knowledge management assets and resources usage reports |
1 |
|
T1241
|
Document cybersecurity incidents |
2 |
|
T1242
|
Escalate incidents that may cause ongoing and immediate impact to the environment |
2 |
|
T1243
|
Oversee configuration management |
2 |
|
T1244
|
Develop configuration management recommendations |
2 |
|
T1245
|
Oversee the cybersecurity training and awareness program |
1 |
|
T1246
|
Establish Assessment and Authorization (A&A) processes |
1 |
|
T1247
|
Develop computer environment cybersecurity plans and requirements |
1 |
|
T1248
|
Patch network vulnerabilities |
1 |
|
T1249
|
Perform backup and recovery of databases |
1 |
|
T1250
|
Perform cyber defense incident triage |
1 |
|
T1251
|
Recommend incident remediation strategies |
1 |
|
T1252
|
Determine the scope, urgency, and impact of cyber defense incidents |
1 |
|
T1253
|
Perform dynamic analysis on drives |
2 |
|
T1254
|
Determine the effectiveness of an observed attack |
1 |
|
T1255
|
Perform cybersecurity testing of developed applications and systems |
2 |
|
T1256
|
Perform forensically sound image collection |
2 |
|
T1257
|
Recommend mitigation and remediation strategies for enterprise systems |
1 |
|
T1258
|
Perform integrated quality assurance testing |
2 |
|
T1259
|
Identify opportunities for new and improved business process solutions |
4 |
|
T1260
|
Perform real-time cyber defense incident handling |
2 |
|
T1261
|
Mitigate programming vulnerabilities |
1 |
|
T1262
|
Identify programming code flaws |
1 |
|
T1263
|
Perform security reviews |
3 |
|
T1264
|
Identify gaps in security architecture |
3 |
|
T1265
|
Develop a cybersecurity risk management plan |
3 |
|
T1266
|
Recommend risk mitigation strategies |
3 |
|
T1267
|
Perform system administration on specialized cyber defense applications and systems |
1 |
|
T1268
|
Administer Virtual Private Network (VPN) devices |
1 |
|
T1269
|
Conduct risk analysis of applications and systems undergoing major changes |
4 |
|
T1270
|
Plan security authorization reviews for system and network installations |
1 |
|
T1271
|
Conduct security authorization reviews for system and network installations |
1 |
|
T1272
|
Develop security assurance cases for system and network installations |
1 |
|
T1273
|
Plan knowledge management projects |
1 |
|
T1274
|
Deliver knowledge management projects |
1 |
|
T1275
|
Determine the effectiveness of data redundancy and system recovery procedures |
1 |
|
T1276
|
Develop data redundancy and system recovery procedures |
1 |
|
T1277
|
Execute data redundancy and system recovery procedures |
1 |
|
T1278
|
Recommend system modifications |
2 |
|
T1279
|
Prepare audit reports |
2 |
|
T1280
|
Develop workflow charts and diagrams |
1 |
|
T1281
|
Convert workflow charts and diagrams into coded computer language instructions |
1 |
|
T1282
|
Prepare digital media for imaging |
2 |
|
T1283
|
Develop cybersecurity use cases |
1 |
|
T1284
|
Develop standard operating procedures for secure network system operations |
1 |
|
T1285
|
Distribute standard operating procedures |
1 |
|
T1286
|
Maintain standard operating procedures |
1 |
|
T1287
|
Document systems security activities |
1 |
|
T1288
|
Prepare technical evaluations of software applications, systems, and networks |
0 |
|
T1289
|
Document software application, system, and network security postures, capabilities, and vulnerabilities |
0 |
|
T1290
|
Communicate daily network event and activity reports |
1 |
|
T1291
|
Advise stakeholders on the development of continuity of operations plans |
4 |
|
T1292
|
Develop guidelines for implementing developed systems for customers and installation teams |
1 |
|
T1293
|
Advise on security requirements to be included in statements of work |
2 |
|
T1294
|
Advise on Risk Management Framework process activities and documentation |
5 |
|
T1295
|
Provide cybersecurity awareness and training |
1 |
|
T1296
|
Recommend data structures for use in the production of reports |
1 |
|
T1297
|
Recommend new database technologies and architectures |
2 |
|
T1298
|
Communicate situational awareness information to leadership |
1 |
|
T1299
|
Determine causes of network alerts |
2 |
|
T1300
|
Report cybersecurity incidents |
2 |
|
T1301
|
Report forensic artifacts indicative of a particular operating system |
2 |
|
T1302
|
Address security implications in the software acceptance phase |
2 |
|
T1303
|
Recommend new or revised security, resilience, and dependability measures |
0 |
|
T1304
|
Recommend organizational cybersecurity resource allocations |
1 |
|
T1305
|
Determine if authorization and assurance documents identify an acceptable level of risk for software applications, systems, and networks |
2 |
|
T1306
|
Conduct technology program and project audits |
7 |
|
T1307
|
Develop cybersecurity policy recommendations |
2 |
|
T1308
|
Coordinate cybersecurity policy review and approval processes |
2 |
|
T1309
|
Analyze system capabilities and requirements |
3 |
|
T1310
|
Implement protective or corrective measures when a cybersecurity incident or vulnerability is discovered |
3 |
|
T1311
|
Design and execute exercise scenarios |
2 |
|
T1312
|
Conduct test and evaluation activities |
1 |
|
T1313
|
Test network infrastructure, including software and hardware devices |
1 |
|
T1314
|
Maintain network infrastructure, including software and hardware devices |
1 |
|
T1315
|
Track cyber defense incidents from initial detection through final resolution |
1 |
|
T1316
|
Document cyber defense incidents from initial detection through final resolution |
1 |
|
T1317
|
Determine if appropriate threat mitigation actions have been taken |
1 |
|
T1318
|
Integrate security requirements into application design elements |
2 |
|
T1319
|
Document software attack surface elements |
2 |
|
T1320
|
Conduct threat modeling |
2 |
|
T1321
|
Manage computing environment system operations |
1 |
|
T1322
|
Capture network traffic associated with malicious activities |
2 |
|
T1323
|
Analyze network traffic associated with malicious activities |
2 |
|
T1324
|
Process digital evidence |
4 |
|
T1325
|
Document digital evidence |
4 |
|
T1326
|
Develop system performance predictions for various operating conditions |
1 |
|
T1327
|
Update security documentation to reflect current application and system security design features |
2 |
|
T1328
|
Verify implementation of software, network, and system cybersecurity postures |
1 |
|
T1329
|
Document software, network, and system deviations from implemented security postures |
1 |
|
T1330
|
Recommend required actions to correct software, network, and system deviations from implemented security postures |
1 |
|
T1331
|
Verify currency of software application, network, and system accreditation and assurance documentation |
0 |
|
T1332
|
Produce incident findings reports |
2 |
|
T1333
|
Communicate incident findings to appropriate constituencies |
1 |
|
T1334
|
Produce cybersecurity instructional materials |
5 |
|
T1335
|
Promote cybersecurity awareness to management |
6 |
|
T1336
|
Verify the inclusion of sound cybersecurity principles in the organization's vision and goals |
6 |
|
T1337
|
Identify system and network capabilities |
2 |
|
T1338
|
Develop cybersecurity capability strategies for custom hardware and software development |
2 |
|
T1339
|
Develop cybersecurity compliance processes for external services |
1 |
|
T1340
|
Develop cybersecurity audit processes for external services |
1 |
|
T1341
|
Perform required reviews |
1 |
|
T1342
|
Oversee policy standards and implementation strategy development |
2 |
|
T1343
|
Provide cybersecurity guidance to organizational risk governance processes |
2 |
|
T1344
|
Determine if procurement activities sufficiently address supply chain risks |
5 |
|
T1345
|
Recommend improvements to procurement activities to address cybersecurity requirements |
6 |
|
T1346
|
Determine if system requirements are adequately demonstrated in data samples |
1 |
|
T1347
|
Detect cybersecurity attacks and intrusions |
1 |
|
T1348
|
Distinguish between benign and potentially malicious cybersecurity attacks and intrusions |
1 |
|
T1349
|
Communicate cybersecurity attacks and intrusions alerts |
1 |
|
T1350
|
Perform continuous monitoring of system activity |
1 |
|
T1351
|
Determine impact of malicious activity on systems and information |
1 |
|
T1352
|
Coordinate critical cyber defense infrastructure protection measures |
1 |
|
T1353
|
Prioritize critical cyber defense infrastructure resources |
1 |
|
T1354
|
Identify system cybersecurity requirements |
4 |
|
T1355
|
Determine if vulnerability remediation plans are in place |
3 |
|
T1356
|
Develop vulnerability remediation plans |
3 |
|
T1357
|
Determine if cybersecurity requirements have been successfully implemented |
4 |
|
T1358
|
Determine the effectiveness of organizational cybersecurity policies and procedures |
4 |
|
T1359
|
Perform penetration testing |
1 |
|
T1360
|
Design programming language exploitation countermeasures and mitigations |
1 |
|
T1361
|
Determine the impact of new system and interface implementations on organization's cybersecurity posture |
2 |
|
T1362
|
Document impact of new system and interface implementations on organization's cybersecurity posture |
2 |
|
T1363
|
Plan system security development |
3 |
|
T1364
|
Conduct system security development |
3 |
|
T1365
|
Document cybersecurity design and development activities |
2 |
|
T1366
|
Identify supply chain risks for critical system elements |
4 |
|
T1367
|
Document supply chain risks for critical system elements |
4 |
|
T1368
|
Support cybersecurity compliance activities |
2 |
|
T1369
|
Determine if acquisitions, procurement, and outsourcing efforts address cybersecurity requirements |
6 |
|
T1370
|
Collect intrusion artifacts |
3 |
|
T1371
|
Mitigate potential cyber defense incidents |
2 |
|
T1372
|
Advise law enforcement personnel as technical expert |
2 |
|
T1373
|
Determine organizational compliance |
1 |
|
T1374
|
Forecast ongoing service demands |
1 |
|
T1375
|
Conduct periodic reviews of security assumptions |
1 |
|
T1376
|
Develop critical infrastructure protection policies and procedures |
2 |
|
T1377
|
Implement critical infrastructure protection policies and procedures |
2 |
|
T1378
|
Identify cybersecurity solutions tools and technologies |
1 |
|
T1379
|
Design cybersecurity tools and technologies |
1 |
|
T1380
|
Develop cybersecurity tools and technologies |
1 |
|
T1381
|
Scan digital media for viruses |
2 |
|
T1382
|
Mount a drive image |
2 |
|
T1383
|
Utilize deployable forensics toolkit |
2 |
|
T1384
|
Establish intrusion set procedures |
1 |
|
T1386
|
Analyze network traffic anomalies |
1 |
|
T1387
|
Validate intrusion detection system alerts |
2 |
|
T1388
|
Isolate malware |
1 |
|
T1389
|
Remove malware |
1 |
|
T1390
|
Identify network device applications and operating systems |
1 |
|
T1391
|
Reconstruct malicious attacks |
1 |
|
T1392
|
Develop user experience requirements |
1 |
|
T1393
|
Document user experience requirements |
1 |
|
T1394
|
Develop independent cybersecurity audit processes for application software, networks, and systems |
7 |
|
T1395
|
Implement independent cybersecurity audit processes for application software, networks, and systems |
7 |
|
T1396
|
Oversee independent cybersecurity audits |
7 |
|
T1397
|
Determine if research and design processes and procedures are in compliance with cybersecurity requirements |
7 |
|
T1398
|
Determine if research and design processes and procedures are accurately followed by cybersecurity staff when performing their day-to-day activities |
7 |
|
T1399
|
Develop supply chain, system, network, and operational security contract language |
5 |
|
T1400
|
Design and develop secure applications |
3 |
|
T1401
|
Integrate system development life cycle methodologies into development environment |
1 |
|
T1402
|
Manage databases and data management systems |
1 |
|
T1403
|
Allocate cybersecurity services |
2 |
|
T1404
|
Select cybersecurity mechanisms |
2 |
|
T1405
|
Identify emerging incident trends |
1 |
|
T1406
|
Construct cyber defense network tool signatures |
1 |
|
T1407
|
Correlate threat assessment data |
2 |
|
T1408
|
Develop quality standards |
1 |
|
T1409
|
Document quality standards |
1 |
|
T1410
|
Develop system security contexts |
2 |
|
T1411
|
Develop technical training curriculum and resources |
3 |
|
T1412
|
Deliver technical training to customers |
3 |
|
T1413
|
Develop training modules and classes |
2 |
|
T1414
|
Develop training assignments |
2 |
|
T1415
|
Develop training evaluations |
2 |
|
T1416
|
Develop grading and proficiency standards |
2 |
|
T1417
|
Create learner development, training, and remediation plans |
2 |
|
T1418
|
Develop learning objectives and goals |
1 |
|
T1419
|
Develop organizational training materials |
1 |
|
T1420
|
Develop organizational training programs |
0 |
|
T1421
|
Develop proficiency assessments |
1 |
|
T1422
|
Develop software documentation |
2 |
|
T1423
|
Create system security concept of operations (ConOps) documents |
3 |
|
T1424
|
Evaluate network infrastructure vulnerabilities |
1 |
|
T1425
|
Recommend network infrastructure enhancements |
1 |
|
T1426
|
Determine cybersecurity design and architecture effectiveness |
2 |
|
T1427
|
Maintain incident tracking and solution databases |
1 |
|
T1428
|
Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cybersecurity incidents |
1 |
|
T1429
|
Prepare trend analysis reports |
2 |
|
T1430
|
Determine if system components can be aligned |
1 |
|
T1431
|
Integrate system components |
1 |
|
T1432
|
Build dedicated cyber defense hardware |
1 |
|
T1433
|
Install dedicated cyber defense hardware |
1 |
|
T1434
|
Create cybersecurity architecture functional specifications |
2 |
|
T1435
|
Determine if technology services are delivered successfully |
3 |
|
T1436
|
Acquire adequate funding for cybersecurity training |
2 |
|
T1437
|
Determine effectiveness of configuration management processes |
2 |
|
T1438
|
Determine effectiveness of instruction and training |
1 |
|
T1439
|
Assess the behavior of individual victims, witnesses, or suspects during cybersecurity investigations |
2 |
|
T1440
|
Assess the validity of source data |
1 |
|
T1441
|
Determine the validity of findings |
0 |
|
T1442
|
Assess the impact of implementing and sustaining a dedicated cyber defense infrastructure |
1 |
|
T1443
|
Recommend commercial, government off-the-shelf, or open source products for use within a system |
0 |
|
T1444
|
Determine if products comply with cybersecurity requirements |
0 |
|
T1445
|
Conduct hypothesis testing |
1 |
|
T1446
|
Conduct learning needs assessments |
3 |
|
T1447
|
Identify training requirements |
3 |
|
T1448
|
Manage customer services |
3 |
|
T1449
|
Determine if qualification standards meet organizational functional requirements and comply with industry standards |
1 |
|
T1450
|
Allocate and distribute human capital assets |
2 |
|
T1451
|
Create interactive learning exercises |
1 |
|
T1452
|
Design system administration and management functionality for privileged access users |
0 |
|
T1453
|
Develop system administration and management functionality for privileged access users |
0 |
|
T1454
|
Design secure interfaces between information systems, physical systems, and embedded technologies |
1 |
|
T1455
|
Implement secure interfaces between information systems, physical systems, and embedded technologies |
1 |
|
T1456
|
Determine the impact of threats on cybersecurity |
1 |
|
T1457
|
Implement threat countermeasures |
0 |
|
T1458
|
Develop data gathering processes |
1 |
|
T1459
|
Develop standardized cybersecurity position descriptions using the NICE Framework |
1 |
|
T1460
|
Develop recruiting, hiring, and retention processes |
1 |
|
T1461
|
Determine cybersecurity position requirements |
1 |
|
T1462
|
Develop cybersecurity training policies and procedures |
3 |
|
T1463
|
Develop cybersecurity curriculum goals and objectives |
2 |
|
T1464
|
Determine if cybersecurity workforce management policies and procedures comply with legal and organizational requirements |
2 |
|
T1465
|
Define service-level agreements (SLAs) |
2 |
|
T1466
|
Establish cybersecurity workforce readiness metrics |
1 |
|
T1467
|
Establish waiver processes for cybersecurity career field entry and training qualification requirements |
1 |
|
T1468
|
Establish organizational cybersecurity career pathways |
1 |
|
T1469
|
Develop cybersecurity workforce reporting requirements |
1 |
|
T1470
|
Establish cybersecurity workforce management programs |
1 |
|
T1471
|
Assess cybersecurity workforce management programs |
1 |
|
T1472
|
Gather customer satisfaction and service performance feedback |
4 |
|
T1473
|
Create risk-driven systems maintenance and updates processes |
0 |
|
T1474
|
Define operating level agreements (OLAs) |
2 |
|
T1475
|
Develop instructional strategies |
1 |
|
T1476
|
Promote awareness of cybersecurity policy and strategy among management |
6 |
|
T1477
|
Advise trial counsel as technical expert |
1 |
|
T1478
|
Determine cybersecurity career field qualification requirements |
1 |
|
T1479
|
Determine organizational policies related to or influencing the cyber workforce |
1 |
|
T1480
|
Examine service performance reports for issues and variances |
3 |
|
T1481
|
Initiate corrective actions to service performance issues and variances |
3 |
|
T1482
|
Conduct cybersecurity workforce assessments |
2 |
|
T1483
|
Integrate cybersecurity workforce personnel into information systems life cycle development processes |
1 |
|
T1484
|
Establish testing specifications and requirements |
1 |
|
T1485
|
Prepare after action reviews (AARs) |
2 |
|
T1486
|
Process forensic images |
2 |
|
T1487
|
Perform file and registry monitoring on running systems |
1 |
|
T1488
|
Enter digital media information into tracking databases |
1 |
|
T1489
|
Correlate incident data |
7 |
|
T1490
|
Prepare cyber defense toolkits |
1 |
|
T1491
|
Design data management systems |
2 |
|
T1492
|
Integrate laws and regulations into policy |
3 |
|
T1493
|
Troubleshoot prototype design and process issues |
1 |
|
T1494
|
Recommend vulnerability exploitation functional and security-related features |
1 |
|
T1495
|
Recommend vulnerability mitigation functional- and security-related features |
1 |
|
T1496
|
Develop reverse engineering tools |
1 |
|
T1497
|
Determine supply chain cybersecurity requirements |
3 |
|
T1498
|
Determine if cybersecurity requirements included in contracts are delivered |
4 |
|
T1499
|
Integrate public key cryptography into applications |
1 |
|
T1500
|
Install systems and servers |
1 |
|
T1501
|
Update systems and servers |
1 |
|
T1502
|
Troubleshoot systems and servers |
1 |
|
T1503
|
Evaluate platforms managed by service providers |
1 |
|
T1504
|
Manage organizational knowledge repositories |
1 |
|
T1505
|
Analyze cybersecurity threats for counter intelligence or criminal activity |
1 |
|
T1506
|
Analyze software and hardware testing results |
1 |
|
T1507
|
Determine user requirements |
3 |
|
T1508
|
Plan cybersecurity architecture |
3 |
|
T1509
|
Analyze feasibility of software design within time and cost constraints |
2 |
|
T1510
|
Preserve digital evidence |
3 |
|
T1511
|
Identify alleged violations of law, regulations, policy, or guidance |
1 |
|
T1512
|
Perform periodic system maintenance |
1 |
|
T1513
|
Conduct trial runs of programs and software applications |
2 |
|
T1514
|
Determine accurate security levels in programs and software applications |
0 |
|
T1515
|
Manage network access control lists on specialized cyber defense systems |
1 |
|
T1516
|
Detect concealed data |
1 |
|
T1517
|
Deliver training courses |
1 |
|
T1518
|
Develop organizational cybersecurity strategy |
3 |
|
T1519
|
Design system security measures |
3 |
|
T1520
|
Update system security measures |
3 |
|
T1521
|
Develop enterprise architecture |
2 |
|
T1522
|
Determine if systems meet minimum security requirements |
2 |
|
T1523
|
Design organizational knowledge management frameworks |
1 |
|
T1524
|
Implement organizational knowledge management frameworks |
1 |
|
T1525
|
Maintain organizational knowledge management frameworks |
1 |
|
T1526
|
Identify responsible parties for intrusions and other crimes |
1 |
|
T1527
|
Define baseline system security requirements |
5 |
|
T1528
|
Develop software system testing and validation procedures |
2 |
|
T1529
|
Create software system documentation |
2 |
|
T1530
|
Develop local network usage policies and procedures |
1 |
|
T1531
|
Determine compliance with local network usage policies and procedures |
1 |
|
T1532
|
Develop procedures for system operations transfer to alternate sites |
1 |
|
T1533
|
Test failover for system operations transfer to alternative sites |
1 |
|
T1534
|
Develop cost estimates for new or modified systems |
1 |
|
T1535
|
Develop implementation guidelines |
1 |
|
T1537
|
Determine if cybersecurity training, education, and awareness meet established goals |
1 |
|
T1538
|
Resolve customer-reported system incidents and events |
1 |
|
T1539
|
Analyze organizational cybersecurity posture trends |
2 |
|
T1540
|
Develop organizational cybersecurity posture trend reports |
2 |
|
T1541
|
Develop system security posture trend reports |
2 |
|
T1542
|
Document original condition of digital evidence |
1 |
|
T1543
|
Develop cybersecurity policies and procedures |
3 |
|
T1544
|
Create definition activity documentation |
2 |
|
T1545
|
Create architecture activity documentation |
2 |
|
T1546
|
Provide inspectors general, privacy officers, and oversight and compliance with legal analysis and decisions |
1 |
|
T1547
|
Determine compliance with cybersecurity policies and legal and regulatory requirements |
0 |
|
T1548
|
Determine adequacy of access controls |
2 |
|
T1549
|
Evaluate the impact of legal, regulatory, policy, standard, or procedural changes |
2 |
|
T1550
|
Execute disaster recovery and continuity of operations processes |
1 |
|
T1551
|
Prosecute cybercrimes and fraud committed against people and property |
0 |
|
T1552
|
Identify cyber workforce planning and management issues |
3 |
|
T1553
|
Address cyber workforce planning and management issues |
3 |
|
T1554
|
Recommend enhancements to software and hardware solutions |
1 |
|
T1555
|
Implement cyber defense tools |
1 |
|
T1556
|
Identify system and network protection needs |
1 |
|
T1557
|
Implement security measures for systems and system components |
1 |
|
T1559
|
Resolve vulnerabilities in systems and system components |
1 |
|
T1560
|
Mitigate risks in systems and system components |
1 |
|
T1561
|
Implement dedicated cyber defense systems |
1 |
|
T1562
|
Document system requirements |
1 |
|
T1563
|
Implement system security measures |
4 |
|
T1564
|
Install database management systems and software |
1 |
|
T1565
|
Configure database management systems and software |
1 |
|
T1566
|
Install system hardware, software, and peripheral equipment |
1 |
|
T1567
|
Configure system hardware, software, and peripheral equipment |
1 |
|
T1568
|
Implement cross-domain solutions |
1 |
|
T1569
|
Administer system and network user accounts |
2 |
|
T1570
|
Establish system and network rights processes and procedures |
2 |
|
T1571
|
Establish systems and equipment access protocols |
2 |
|
T1572
|
Inventory technology resources |
1 |
|
T1573
|
Determine if developed solutions meet customer requirements |
1 |
|
T1574
|
Develop risk acceptance documentation for senior leaders and authorized representatives |
1 |
|
T1575
|
Adapt software to new hardware |
1 |
|
T1576
|
Upgrade software interfaces |
1 |
|
T1577
|
Improve software performance |
1 |
|
T1578
|
Monitor system and server configurations |
1 |
|
T1579
|
Maintain system and server configurations |
1 |
|
T1580
|
Monitor client-level computer system performance |
1 |
|
T1581
|
Create client-level computer system performance reports |
1 |
|
T1582
|
Maintain currency of cyber defense threat conditions |
2 |
|
T1583
|
Determine effectiveness of system implementation and testing processes |
5 |
|
T1584
|
Establish minimum security requirements for applications |
2 |
|
T1585
|
Determine if applications meet minimum security requirements |
2 |
|
T1586
|
Conduct cybersecurity risk assessments |
3 |
|
T1587
|
Perform cybersecurity testing on systems in development |
1 |
|
T1588
|
Diagnose faulty system and server hardware |
1 |
|
T1589
|
Repair faulty system and server hardware |
1 |
|
T1590
|
Identify programming flaws |
1 |
|
T1591
|
Address security architecture gaps |
1 |
|
T1592
|
Conduct cybersecurity reviews |
2 |
|
T1593
|
Identify cybersecurity gaps in enterprise architecture |
1 |
|
T1594
|
Plan classroom learning sessions |
1 |
|
T1595
|
Coordinate training and education |
1 |
|
T1596
|
Plan delivery of non-classroom learning |
1 |
|
T1597
|
Plan implementation strategies |
1 |
|
T1598
|
Assess the integration and alignment capabilities of enterprise components |
1 |
|
T1599
|
Prepare legal documents |
1 |
|
T1600
|
Prepare investigative reports |
1 |
|
T1601
|
Advise stakeholders on enterprise cybersecurity risk management |
4 |
|
T1602
|
Advise stakeholders on supply chain risk management |
4 |
|
T1603
|
Recommend threat and vulnerability risk mitigation strategies |
2 |
|
T1604
|
Provide cybersecurity advice on implementation plans, standard operating procedures, maintenance documentation, and maintenance training materials |
2 |
|
T1605
|
Advise management, staff, and users on cybersecurity policy |
2 |
|
T1606
|
Prepare impact reports |
2 |
|
T1607
|
Recover information from forensic data sources |
2 |
|
T1608
|
Perform periodic reviews of learning materials and courses for accuracy and currency |
1 |
|
T1609
|
Recommend revisions to learning materials and curriculum |
1 |
|
T1610
|
Determine if hardware and software complies with defined specifications and requirements |
2 |
|
T1611
|
Record test data |
1 |
|
T1612
|
Manage test data |
1 |
|
T1613
|
Determine if design components meet system requirements |
1 |
|
T1614
|
Determine scalability of system architecture |
1 |
|
T1615
|
Advise stakeholders on vulnerability compliance |
2 |
|
T1616
|
Resolve computer security incidents |
2 |
|
T1617
|
Prepare cyber defense reports |
2 |
|
T1618
|
Advise stakeholders on disaster recovery, contingency, and continuity of operations plans |
2 |
|
T1619
|
Perform risk and vulnerability assessments |
2 |
|
T1620
|
Recommend cost-effective security controls |
1 |
|
T1621
|
Prepare supply chain security reports |
4 |
|
T1622
|
Prepare risk management reports |
4 |
|
T1623
|
Develop supply chain cybersecurity risk management policy |
1 |
|
T1624
|
Conduct vulnerability analysis of software patches and updates |
2 |
|
T1625
|
Prepare vulnerability analysis reports |
2 |
|
T1626
|
Determine impact of new systems and system interfaces on current and target environments |
2 |
|
T1627
|
Conduct cybersecurity management assessments |
1 |
|
T1628
|
Design cybersecurity management functions |
1 |
|
T1639
|
Assess target vulnerabilities and operational capabilities |
1 |
|
T1640
|
Determine effectiveness of intelligence collection operations |
1 |
|
T1641
|
Recommend adjustments to intelligence collection strategies |
1 |
|
T1643
|
Develop common operational pictures |
1 |
|
T1644
|
Develop cyber operations indicators |
1 |
|
T1645
|
Coordinate all-source collection activities |
1 |
|
T1646
|
Validate all-source collection requirements and plans |
1 |
|
T1647
|
Develop priority information requirements |
1 |
|
T1648
|
Develop performance success metrics |
0 |
|
T1650
|
Develop cybersecurity success metrics |
0 |
|
T1651
|
Prepare threat and target briefings |
1 |
|
T1652
|
Prepare threat and target situational updates |
1 |
|
T1658
|
Determine customer requirements |
2 |
|
T1666
|
Exploit wireless computer and digital networks |
0 |
|
T1669
|
Analyze system vulnerabilities within a network |
0 |
|
T1670
|
Conduct on-net activities |
0 |
|
T1671
|
Exfiltrate data from deployed technologies |
0 |
|
T1672
|
Conduct off-net activities |
0 |
|
T1676
|
Survey computer and digital networks |
0 |
|
T1679
|
Develop organizational decision support tools |
0 |
|
T1686
|
Identify intelligence requirements |
1 |
|
T1689
|
Create comprehensive exploitation strategies |
0 |
|
T1690
|
Identify exploitable technical or operational vulnerabilities |
1 |
|
T1698
|
Collect target information |
0 |
|
T1699
|
Develop crisis plans |
0 |
|
T1700
|
Maintain crisis plans |
0 |
|
T1708
|
Prepare operational assessment reports |
0 |
|
T1712
|
Recommend potential courses of action |
2 |
|
T1713
|
Develop feedback procedures |
0 |
|
T1717
|
Recommend changes to planning policies and procedures |
0 |
|
T1718
|
Implement changes to planning policies and procedures |
0 |
|
T1719
|
Develop cybersecurity cooperation agreements with external partners |
0 |
|
T1732
|
Determine effectiveness of network analysis strategies |
0 |
|
T1734
|
Exploit network devices and terminals |
0 |
|
T1736
|
Communicate tool requirements to developers |
0 |
|
T1737
|
Develop intelligence collection strategies |
1 |
|
T1741
|
Designate priority information requirements |
0 |
|
T1743
|
Identify information collection gaps |
1 |
|
T1747
|
Identify system vulnerabilities within a network |
0 |
|
T1758
|
Determine potential implications of new and emerging hardware and software technologies |
0 |
|
T1762
|
Modify collection requirements |
1 |
|
T1763
|
Determine effectiveness of collection requirements |
1 |
|
T1765
|
Monitor changes to designated cyber operations warning problem sets |
1 |
|
T1766
|
Prepare change reports for designated cyber operations warning problem sets |
1 |
|
T1767
|
Monitor threat activities |
1 |
|
T1768
|
Prepare threat activity reports |
1 |
|
T1770
|
Report on adversarial activities that fulfill priority information requirements |
1 |
|
T1772
|
Identify indications and warnings of target communication changes or processing failures |
1 |
|
T1775
|
Prepare cyber operations intelligence reports |
1 |
|
T1776
|
Prepare indications and warnings intelligence reports |
1 |
|
T1777
|
Conduct policy reviews |
0 |
|
T1779
|
Coordinate strategic planning efforts with internal and external partners |
1 |
|
T1780
|
Develop external coordination policies |
0 |
|
T1781
|
Degrade or remove data from networks and computers |
0 |
|
T1784
|
Process exfiltrated data |
0 |
|
T1786
|
Profile system administrators and their activities |
0 |
|
T1789
|
Provide aim point recommendations for targets |
0 |
|
T1790
|
Provide reengagement recommendations |
0 |
|
T1792
|
Assess effectiveness of intelligence production |
1 |
|
T1793
|
Assess effectiveness of intelligence reporting |
1 |
|
T1798
|
Provide intelligence analysis and support |
1 |
|
T1799
|
Notify appropriate personnel of imminent hostile intentions or activities |
2 |
|
T1801
|
Determine validity and relevance of information |
1 |
|
T1802
|
Prepare network reports |
0 |
|
T1804
|
Prepare network intrusion reports |
1 |
|
T1806
|
Research communications trends in emerging technologies |
0 |
|
T1829
|
Evaluate locally developed tools |
2 |
|
T1830
|
Test internally developed software |
0 |
|
T1831
|
Track status of information requests |
0 |
|
T1835
|
Determine if intelligence requirements and collection plans are accurate and up-to-date |
1 |
|
T1836
|
Document lessons learned during events and exercises |
0 |
|
T1842
|
Identify metadata patterns |
0 |
|
T1846
|
Develop natural language processing tools |
0 |
|
T1849
|
Communicate critical or time-sensitive information |
0 |
|
T1853
|
Determine if new and existing services comply with privacy and data security obligations |
1 |
|
T1854
|
Develop and maintain privacy and confidentiality consent forms |
1 |
|
T1855
|
Develop and maintain privacy and confidentiality authorization forms |
1 |
|
T1856
|
Integrate civil rights and civil liberties in organizational programs, policies, and procedures |
1 |
|
T1857
|
Integrate privacy considerations in organizational programs, policies, and procedures |
1 |
|
T1858
|
Serve as liaison to regulatory and accrediting bodies |
1 |
|
T1859
|
Register databases with local privacy and data protection authorities |
1 |
|
T1860
|
Promote privacy awareness to management |
1 |
|
T1861
|
Establish organizational Privacy Oversight Committee |
1 |
|
T1862
|
Establish cybersecurity risk assessment processes |
2 |
|
T1863
|
Develop information sharing strategic plans |
1 |
|
T1864
|
Develop organizational information infrastructure |
1 |
|
T1865
|
Implement organizational information infrastructure |
1 |
|
T1866
|
Develop self-disclosure policies and procedures |
1 |
|
T1867
|
Oversee consumer information access rights |
1 |
|
T1868
|
Serve as information privacy liaison to technology system users |
1 |
|
T1869
|
Serve as liaison to information systems department |
1 |
|
T1870
|
Create privacy training materials |
3 |
|
T1871
|
Prepare privacy awareness communications |
3 |
|
T1872
|
Deliver privacy awareness orientations |
1 |
|
T1873
|
Deliver privacy awareness trainings |
3 |
|
T1874
|
Manage organizational participation in public privacy and cybersecurity events |
1 |
|
T1875
|
Prepare privacy program status reports |
1 |
|
T1876
|
Respond to press and other public data security inquiries |
1 |
|
T1877
|
Develop organizational privacy program |
1 |
|
T1878
|
Apply sanctions for failure to comply with privacy policies |
1 |
|
T1879
|
Develop sanctions for failure to comply with privacy policies |
1 |
|
T1880
|
Resolve allegations of noncompliance with privacy policies and notice of information practices |
1 |
|
T1881
|
Develop a risk management and compliance framework for privacy |
1 |
|
T1882
|
Determine if projects comply with organizational privacy and data security policies |
1 |
|
T1883
|
Develop organizational privacy policies and procedures |
1 |
|
T1884
|
Establish complaint processes |
1 |
|
T1885
|
Establish mechanisms to track access to protected health information |
1 |
|
T1886
|
Maintain the organizational policy program |
1 |
|
T1887
|
Conduct privacy impact assessments |
1 |
|
T1888
|
Conduct privacy compliance monitoring |
1 |
|
T1889
|
Align cybersecurity and privacy practices in system information security plans |
1 |
|
T1890
|
Determine if protected information releases comply with organizational policies and procedures |
1 |
|
T1891
|
Administer requests for release or disclosure of protected information |
1 |
|
T1892
|
Develop vendor review procedures |
1 |
|
T1893
|
Develop vendor auditing procedures |
1 |
|
T1894
|
Determine if partner and business agreements address privacy requirements and responsibilities |
1 |
|
T1895
|
Provide legal advice for business partner contracts |
1 |
|
T1896
|
Mitigate Personal Identifiable Information (PII) breaches |
1 |
|
T1897
|
Administer action on organizational privacy complaints |
1 |
|
T1898
|
Determine if the organization's privacy program complies with federal and state privacy laws and regulations |
1 |
|
T1899
|
Identify organizational privacy compliance gaps |
1 |
|
T1900
|
Correct organizational privacy compliance gaps |
1 |
|
T1901
|
Manage privacy breaches |
1 |
|
T1902
|
Implement and maintain organizational privacy policies and procedures |
1 |
|
T1903
|
Develop and maintain privacy and confidentiality information notices |
1 |
|
T1904
|
Determine business partner requirements |
0 |
|
T1905
|
Monitor advancements in information privacy technologies |
1 |
|
T1906
|
Establish a cybersecurity risk management program |
1 |
|
T1907
|
Establish organizational risk management strategies |
1 |
|
T1908
|
Determine which business functions a system supports |
0 |
|
T1909
|
Determine system stakeholders |
0 |
|
T1910
|
Identify common controls available for inheritance by organizational systems |
0 |
|
T1911
|
Determine the security categorization for organizational systems |
0 |
|
T1912
|
Determine system boundaries |
0 |
|
T1913
|
Identify system security requirements |
2 |
|
T1914
|
Register systems with organizational program management offices |
0 |
|
T1915
|
Identify required system security controls |
0 |
|
T1916
|
Document planned system security control implementations |
0 |
|
T1917
|
Establish security control monitoring strategies |
0 |
|
T1918
|
Review and approve System Security Plans (SSPs) |
0 |
|
T1919
|
Implement system security controls |
0 |
|
T1920
|
Establish system configuration baselines |
0 |
|
T1921
|
Document changes to planned system control implementations |
0 |
|
T1922
|
Develop system security control assessment plans |
0 |
|
T1923
|
Approve system security control assessment plans |
0 |
|
T1924
|
Determine effectiveness of security controls |
0 |
|
T1925
|
Prepare security control assessment reports |
0 |
|
T1926
|
Conduct security control remediations |
0 |
|
T1927
|
Develop cybersecurity action plans and milestones |
0 |
|
T1928
|
Prepare authorization packages |
0 |
|
T1929
|
Submit authorization packages to authorizing officials for adjudication |
0 |
|
T1930
|
Determine risks of operating or using a system |
0 |
|
T1931
|
Determine risks of using common controls |
0 |
|
T1932
|
Implement cybersecurity action plans |
0 |
|
T1933
|
Determine if system security risks are acceptable |
0 |
|
T1934
|
Determine if common control risks are acceptable |
0 |
|
T1935
|
Update cybersecurity action plans |
0 |
|
T1936
|
Report system security status to authorizing officials |
0 |
|
T1937
|
Determine if system security meets acceptable risk levels |
0 |
|
T1938
|
Establish system disposal processes |
0 |
|
T1939
|
Implement system disposal processes |
0 |
|
T1940
|
Form continuous monitoring working groups |
0 |
|
T1941
|
Establish continuous monitoring scoring and grading metrics |
0 |
|
T1942
|
Integrate a continuous monitoring program into organizational security governance structures and policies |
0 |
|
T1943
|
Make cybersecurity investment decisions to address persistent issues |
0 |
|
T1944
|
Provide training and resources to continuous monitoring staff |
0 |
|
T1945
|
Prepare continuous monitoring reports |
0 |
|
T1946
|
Determine if risk metrics support continuous monitoring |
0 |
|
T1947
|
Determine if continuous monitoring data provides situational awareness of risk levels |
0 |
|
T1948
|
Define unacceptable risk threshold triggers for continuous monitoring data |
0 |
|
T1949
|
Establish system-level reporting categories |
0 |
|
T1950
|
Manage the continuous monitoring program |
0 |
|
T1951
|
Establish continuous monitoring communication processes |
0 |
|
T1952
|
Identify reporting requirements that are fulfilled by the continuous monitoring program |
0 |
|
T1953
|
Establish continuous monitoring reporting requirements |
0 |
|
T1954
|
Perform continuous monitoring |
0 |
|
T1955
|
Establish automated control assessment reporting requirements |
0 |
|
T1956
|
Conduct continuous monitoring data assessments |
0 |
|
T1957
|
Integrate continuous monitoring results in ongoing authorizations |
0 |
|
T1958
|
Establish access control processes for continuous monitoring tools and technologies |
0 |
|
T1959
|
Implement access control processes for continuous monitoring tools and technologies |
0 |
|
T1960
|
Establish technical help processes for continuous monitoring mitigators |
0 |
|
T1961
|
Communicate continuous monitoring reporting requirements |
0 |
|
T1962
|
Define responsibilities for implementing continuous monitoring tools or technologies |
0 |
|
T1963
|
Establish liaison to scoring and metrics working group |
0 |
|
T1964
|
Establish risk management processes |
0 |
|
T1965
|
Establish performance measurement requirements for continuous monitoring tools and technologies |
0 |
|
T1966
|
Assess continuous monitoring performance |
0 |
|
T1967
|
Coordinate responses to issues flagged during continuous monitoring |
0 |
|
T1968
|
Implement risk mitigation strategies |
0 |
|
T1969
|
Document system alerts |
1 |
|
T1970
|
Escalate system alerts that may indicate risks |
1 |
|
T1971
|
Disseminate anomalous activity reports to the insider threat hub |
1 |
|
T1972
|
Identify anomalous activity |
0 |
|
T1973
|
Conduct independent comprehensive assessments of target-specific information |
1 |
|
T1974
|
Conduct insider threat risk assessments |
1 |
|
T1975
|
Prepare insider threat briefings |
1 |
|
T1976
|
Recommend risk mitigation courses of action (CoA) |
1 |
|
T1977
|
Coordinate with internal and external incident management partners across jurisdictions |
1 |
|
T1978
|
Recommend improvements to insider threat detection processes |
1 |
|
T1979
|
Collect digital evidence that meets priority intelligence requirements |
1 |
|
T1980
|
Develop digital evidence reports for internal and external partners |
1 |
|
T1981
|
Develop elicitation indicators |
1 |
|
T1982
|
Identify high value assets |
1 |
|
T1983
|
Identify potential insider threats |
1 |
|
T1984
|
Notify appropriate personnel of imminent of imminent hostile intentions or activities |
0 |
|
T1985
|
Identify imminent or hostile intentions or activities |
1 |
|
T1986
|
Develop a continuously updated overview of an incident throughout the incident's life cycle |
1 |
|
T1987
|
Develop insider threat cyber operations indicators |
1 |
|
T1988
|
Integrate information from cyber resources, internal partners, and external partners |
1 |
|
T1989
|
Advise insider threat hub inquiries |
1 |
|
T1990
|
Conduct cybersecurity insider threat inquiries |
1 |
|
T1991
|
Deliver all-source cyber operations and intelligence indications and warnings |
1 |
|
T1992
|
Interpret network activity for intelligence value |
1 |
|
T1993
|
Monitor network activity for vulnerabilities |
1 |
|
T1994
|
Identify potential insider risks to networks |
1 |
|
T1995
|
Document potential insider risks to networks |
1 |
|
T1996
|
Report network vulnerabilities |
1 |
|
T1997
|
Develop insider threat investigation plans |
1 |
|
T1998
|
Investigate alleged insider threat cybersecurity policy violations |
1 |
|
T1999
|
Refer cases on active insider threat activities to law enforcement investigators |
1 |
|
T2000
|
Perform cybersecurity reviews |
0 |
|
T2001
|
Establish an insider threat risk management assessment program |
1 |
|
T2002
|
Recommend courses of action or countermeasures to mitigate risks |
0 |
|
T2003
|
Evaluate organizational insider risk response capabilities |
1 |
|
T2004
|
Document insider threat information sources |
1 |
|
T2005
|
Conduct insider threat studies |
1 |
|
T2006
|
Identify potential targets for exploitation |
1 |
|
T2007
|
Analyze potential targets for exploitation |
1 |
|
T2008
|
Vet insider threat targeting with law enforcement and intelligence partners |
0 |
|
T2009
|
Develop insider threat targets |
1 |
|
T2010
|
Maintain User Activity Monitoring (UAM) tools |
1 |
|
T2011
|
Monitor the output from User Activity Monitoring (UAM) tools |
1 |
|
T2012
|
Check network connections |
1 |
|
T2013
|
Look for indicators of intrusions |
1 |
|
T2014
|
Identify devices and networks on scene |
1 |
|
T2015
|
Collect devices containing digital evidence |
1 |
|
T2016
|
Identify areas of compromise |
1 |
|
T2017
|
Acquire digital evidence |
1 |
|
T2018
|
Create a digital footprint of raw or physical data |
1 |
|
T2019
|
Process data into readable format |
1 |
|
T2020
|
Prepare data for ingestion into application systems |
1 |
|
T2021
|
Recover deleted or overwritten data files |
1 |
|
T2022
|
Create derivative evidence from findings report |
1 |
|
T2023
|
Serve as subject expert in training fact witnesses for testifying |
1 |
|
T2024
|
Present factual causality to support attribution of criminal activity |
1 |
|
T2025
|
Prepare technical materials for legal proceedings |
1 |
|
T2026
|
Serve as liaison to prosecutors |
1 |
|
T2027
|
Manage forensic laboratory accreditation processes |
1 |
|
T2028
|
Develop OT inventory model for cybersecurity |
1 |
|
T2029
|
Serve as OT engineering subject matter expert during development of change management policies and procedures |
1 |
|
T2030
|
Determine if implementation of security measures and controls meets regulatory standards and is in compliance with legal or policy requirements |
1 |
|
T2031
|
Identify gaps in OT network architecture |
1 |
|
T2032
|
Assign security level targets to network zones for control systems |
1 |
|
T2033
|
Create a change management plan |
1 |
|
T2034
|
Design cybersecurity tools for OT systems |
1 |
|
T2035
|
Perform a process hazard analysis (PHA) |
1 |
|
T2036
|
Review policies, standards, and regulations for conflicts that may create control system vulnerabilities |
1 |
|
T2037
|
Create cybersecurity inspection and test policies and procedures for OT systems |
1 |
|
T2038
|
Develop system procurement specifications |
1 |
|
T2039
|
Determine the impact of cybersecurity requirements on costs and budgeting |
1 |
|
T2040
|
Conduct cybersecurity reviews of OT system engineering plans and documentation |
1 |
|
T2041
|
Participate in safety system design processes to counteract potential cybersecurity sabotage |
1 |
|
T2042
|
Generate cyberattack scenarios of serious physical consequence |
1 |
|
T2043
|
Oversee implementation of system controls |
1 |
|
T2044
|
Develop system upgrade specifications |
1 |
|
T2045
|
Assign networked engineering assets to security zones |
1 |
|
T2046
|
Communicate implication of new and upgraded technologies to cybersecurity program stakeholders |
1 |
|
T2047
|
Inventory OT assets |
1 |
|
T2048
|
Recommend cybersecurity requirements for integration in continuity planning |
1 |
|
T2049
|
Serve as OT engineering subject matter expert for cybersecurity standards, policies, and procedures development |
1 |
|
T2050
|
Serve as OT engineering subject matter expert for development of organizational cybersecurity risk management plan |
1 |
|
T2051
|
Train cybersecurity defense technicians on OT system processes and procedures |
1 |
|
T2052
|
Disseminate investigative report findings |
1 |
|
T2053
|
Deconflict investigative activity with other law enforcement agencies |
1 |
|
T2054
|
Determine appropriate jurisdiction for legal action |
1 |
|
T2055
|
Collect physical evidence of cyber intrusion incidents, investigations, and operations |
1 |